Tag: WordPress

From the announcement post, this maintenance release addresses 13 bugs with version 3.6.

Additionally: Version 3.6.1 fixes three security issues:

Remote Code Execution: Block unsafe PHP de-serialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem. CVE pending.

Privilege Escalation: Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij. CVE pending.

Link Injection / Open Redirect: Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention. CVE pending.

Additional security hardening:

Updated security restrictions around file uploads to mitigate the potential for cross-site scripting. The extensions .swf and .exe are no longer allowed by default, and .htm and .html are only allowed if the user has the ability to use unfiltered HTML.

Hi Andrew,
Wow! I was impressed with the quality that you provided for such remarkable turn-around time, and the miniscule amount of time you needed to complete this project. In my failed attempt to produce my primitive version of this website, I read over 100 pages of instructions, completed tutorials on the internet, viewed “how-to-do-it” videos, skimmed two books, “published” (uploaded) each webpage countless times, and spent well over 40 hours failing to produce what you accomplished in minutes. Good for you (and of course, good for me to have found you)!

Steven Heller

Steven had called up the office because he was having a hard time building his website using Adobe Contribute. Greenville Web had an old article on building websites using Adobe Contribute and that’s how Steven found us.

After a quick consultation I could see that Contribute was not the right solution and about an hour after I had received the copy and images for Steven’s website I had him set up at WordPress.com with free hosting and a great looking website.

I don’t normally pat myself on the back but after reading what Steven wrote (above) I felt that I wanted to share it.

Give maybe a call at 864-735-8378 and maybe I can save you a lot of time and money too!

WordPress, as a Content Management System, is a secure platform. The Weak link is YOU!

Yup it’s your password the one that you use for every website from bank accounts to email. It could be your dog’s name, wife’s middle name and birthday, it’s something that no-one who didn’t know you would ever guess.

The problem is that Software can guess it

WPScan is a “WordPress Security Scanner” Sponsored by the RandomStorm Open Source Initiative *. WPScan like a scalpel is a great tool in the right hands, it’s just destructive when used by the malicious or the criminal.
WPScan is free and available to anyone with an internet connection.

Using WPScan a bad player can attack your login using the aptly named Brute Force Attack **.

A Brute Force Attack is when software like WPScan is used to figure out your website’s username, easy if it is admin, once it has that it will try every possible password until it succeeds.

If your password is letmein or jesus ***, God help you! You’ll be owned in a few hours.

This is where common sense can save you

Don’t ever use a password like the two above! Shame on you!

Don’t ever use admin as your username, if you do call me so I can come over and slap you. And YES you deserve it.

Update WordPress when a patch is released.

This is because any security fixes addressed by that patch are also common knowledge soon after the patch is pushed to you.

The major feature updates are normally released as point upgrades. As in 3.4 to 3.5. These updates you can wait on if your worried about a Theme or Plugin breaking.

Hire a professional to manage your site.

If you make money off your website and it is a crucial part of your business treat it with the respect it deserves. You’re not a web developer you’re a Lawyer, an Innkeeper, a fill in the blank. And your nephew with a computer is… well… you get it.

Install the Limit Login Attempts **** plugin.

This plugin will block software like WPScan from Brute Forcing your password. It works by blocking an IP address of a user after X amount of login attempts.

You can set the length in hours of the block and the number of failed attempts before the block kicks in.

If you forget your own password just remember to reset it before you get blocked.